The Real Price of Virtual Kidnappings
A MAN TRAVELS to Mexico on business. During his trip, his wife receives a call from her husband’s cell phone. Upon answering, she hears screaming. Then the voice of a stranger comes onto the phone, saying the screams were those of her husband, whom he has kidnapped. He demands a money transfer of $1,000 within five hours, adding that if he doesn’t get the payment, he will kill her husband. A few expletives are thrown in for emphasis.
The wife is terrified. She calls her husband’s cell phone, and the same man answers. Convinced he has her husband, she complies with his demands and sends $1,000 through Western Union.
Hours later the husband calls and tells her what actually happened. His cell phone was stolen earlier that day.
The wife in this scenario has just been the victim of the crime of “virtual kidnapping,” where criminals leverage a stolen cell phone or stolen personal information to scare a quick ransom payment out of a company or a family without ever abducting anyone.
The practice has become so prevalent in Mexico that the government has created a cell phone registry to try and track down virtual kidnappers.
Christopher Voss, managing director of Insite Security’s kidnapping resolution practice and a former FBI kidnap and ransom negotiator, tells Security Management of one case the FBI worked on in the San Diego area. A family’s college-aged kid went down to Tijuana to party and lost his ID and his phone. Knowing they had some time before the hung-over co-ed started looking for his missing property, the people who found it decided they had time to try and extort money from his parents. In this case, they called the FBI, which determined that it was a hoax, and the parents did not pay the ransom.
Special Agent Brad Bryant, chief of the FBI’s Violent Crimes and Major Offenders Unit, says the bureau has no open virtual kidnapping investigations in the United States to his knowledge, but that doesn’t indicate how often cases occur. Solid statistics on this type of crime are hard to come by, says Fred Burton, vice president of intelligence for STRATFOR, a private intelligence firm. Multinational companies that have fallen victim to the ruse won’t publicize it for fear of harming their brand and making themselves and their employees a bigger target for other virtual kidnappers. Burton confirmed to Security Management that U.S. companies have been victimized but would not elaborate.
Burton adds that he would look on any virtual kidnapping statistics with a grain of salt. “I don’t think there’s any one entity that you can go to that’s capable of providing… accurate numbers,” he says.
While the specifics may be hard to nail down, there’s no doubt that, in general, virtual kidnappings are attractive to criminals and are likely to continue to be a problem. “[F]rom the criminal’s side, there’s very little investment in time or effort,” explains Voss.
When criminals carry out real kidnappings, they need safe houses to hide the abducted subjects, and they must go to the trouble to keep them reasonably cared for if they plan to return them for the ransom. Virtual kidnappers, on the other hand, just need a phone line, some personal information, and the ability to terrify their victim—which isn’t hard when he or she believes an employee or a loved one’s life is on the line.
There are ways to avoid being the victim of a virtual kidnapping scheme, say experts. One of the first and most important steps is to practice good cell-phone hygiene. Jaime Garcia, security manager for Mexico and Texas for the automotive parts maker Delphi, advises employees to go through their cell phones and eliminate any generic names.
“There should be no ‘home,’ ‘office,’ ‘babe,’ ‘honey,’ whatever,” he says. That way, a virtual kidnapper can’t just steal a phone and hit one of those contacts to make the ransom call. Garcia suggests that travelers clear their calling history daily so that a thief won’t be able to guess by the frequency of calls that a particular number is a loved one or an employer.
He also advises employees with the ability to password protect their cell phone or smartphone to do so. Virtual kidnappers can’t access phone numbers or personal information if they can’t get at it. And they need that type of information to carry out their scheme.
Cell phones are not the only source of that type of personal information, however. Virtual kidnappers also harvest personal numbers and family information from wallets or purses they’ve stolen, says Voss.
That’s why Garcia tells his traveling employees to “sanitize” their wallets and purses—to cleanse them of the type of personal data that a virtual kidnapper could use, such as pictures of loved ones with names on the back, which would help a virtual kidnapper weave a convincing story. Travelers should also be careful not to give personal information inadvertently or carelessly; the person requesting it might have ulterior motives.
If a company or loved one does receive a ransom call, they can’t know whether it is for real, so the same rules of kidnapping apply: get “proof of life,” says Voss. If a voice over a phone says they have your employee or loved one, ask the caller, “How do I know he’s alive? Can I speak with him?”
According to Voss, asking that question will not increase the risk to the person if they really are kidnapped, because professional kidnappers know they must prove the abducted person is alive for payment. They are, after all, basically profit-seeking businessmen.
“If you’ve got someone claiming to have kidnapped an employee or a loved one, and they want the money now, and they want it wired now, they probably don’t have him,” says Voss.
People don’t have to go it alone, however. The FBI’s Bryant says American employers or family members who receive a call from someone claiming to have kidnapped their employee or family member in another country should contact their local FBI field office and the State Department immediately. The State Department will contact the U.S. Embassy in the relevant country.
If it’s in Mexico, “They’ll contact our legal attaché in Mexico, who has a good relationship with Mexican law enforcement,” Bryant says.
Garcia recommends having employees prepare two code words with their offices and families to quickly confirm proof of life as well as how grave the situation is. Garcia, who travels nearly every day into Mexico, says he has already done this with his family. One code word is positive, and it means that kidnappers have him, he’s in good shape, and negotiate for his release. The negative code word, however, means he’s in poor shape and to do whatever is necessary to get him out as fast as possible.
“If my [family] does not hear a code word, they’re to hang up,” he says. “Because it’s only one of two things: They don’t have me, or I’m already dead. So there’s no reason to be sending money if I’m already gone.”
Another thing a company can do to protect against virtual kidnapping is to let all employees know that honesty won’t end in their termination. If a traveling employee goes out, gets drunk, and loses a company’s electronic device with sensitive corporate or personal information on it, the office should want him to report it immediately.
“The bottom line is [an employee] is going to put his company in a bad position in having to potentially pay the ransom when he wasn’t kidnapped, he was hung over,” Voss says.
More importantly, companies should educate employees so that they know they need to follow commonsense security precautions as discussed, using a password to protect data on their phone, for example. During travel, they should be required to call their office and loved ones at designated times to let them know everything is okay. Finally, employees need to become more aware of their surroundings so that they don’t make themselves an easy mark.